Hive Keychain Independent Audit Proposal

avatar of @themarkymark
2 min read

Everyone loves Hive Keychain, it is the only way to use many of the Hive Dapps and still feel safe.

One thing that has always concerned me of Hive Keychain is it has never been audited by a third party. There are many situations that may arise that put users of the Hive Keychain extension at risk. Some of these don't even involve the developers of the extension themselves.

Hive Keychain relies on a lot of trust that it is safe and remains safe. Most users store their posting, memo, and even active keys in Hive Keychain.

I have consulted a few crypto software auditing companies to get a rough idea what it would cost to audit Hive Keychain for secuity issues and it isn't cheap. When you start trying to audit every release, it gets even more prohibitively expensive.

The cheapest I have found is $24,000 for an initial audit, with a 10% discount on future audits as code changes. That's another $21,600 for each release of Hive Keychain.

This proposal would provide one year of auditing of Hive Keychain, which I would do personally. I have first hand knowledge of the Hive Blockchain and experience in information security (it is in fact my career).

My offer

What I am offering is an initial and complete audit on the Hive Keychain extension on both Google and Firefox web stores. Once this is complete, I will monitor all future updates of the extension and audit the changes for potential issues. I will decompile and audit the actual released version of the extension to ensure I am looking at the code actually deployed in case for whatever reason it differs from the Github repository.

This audit is security focused only and will not look for bugs or optimizations.

I would ask for 61 HBD/day for 365 days, renewed yearly. To submit this proposal will cost 1 HBD/day beyond 60 days, the additional 1 HBD/day would be used to reimburse this cost. 60 HBD/day would be compensation for my time throughout the year. This would result in a total of 21,900 HBD, a few thousand under the lowest offer to only audit the extension once. I will provide that as well as future reviews in a reasonable time after new releases.

I believe it is critical a third party reviews Hive Keychain (me or otherwise) not only once but on an ongoing basis to ensure it remains a safe option for Hive users. This proposal would offer a independent and ongoing audit of the most critical critical piece of software used by most Hive users on a daily basis.

There is currently no active proposal for this audit, but if the community feels this is something they would support, I will draft it up and update this post.

Posted Using LeoFinance Beta